Preventing crypto-mining attacks: four key steps that’ll keep you safe

We recently published an overview of the rapid rise in mining attacks, how these attacks work, and their impact on businesses around the world.

The rise of in cryptocurrency values has incentivized hackers to exploit the CPU power of their victims in order for crypto-mining operations. Our research shows that these cryptojacking attacks have reached epidemic proportions.

In our previous post we reviewed how current plague of mining attack is impacting businesses across the globe in three key ways:

• Consumption of precious server resources
• Reduced user productivity
• Negative impact on company reputation and customer satisfaction

With the correct tools and processes in place, organizations can effectively prevent mining attacks.

1. Patch all systems and applications

Patching is always a good practice and can assist in preventing many crypto-mining and other attacks. If you don’t already do so, you should implement solid patching processes across your IT environment.

Unfortunately, achieving 100% real-time patching and hardening of all systems is impractical for most enterprise environments. Furthermore, patching cannot protect from attacks that leverage unknown or zero-day vulnerabilities.

2. Implement virtual patching with IPS

IPS technology provides a layer of virtual patching in front of all your organization’s systems, servers and endpoints. A capable IPS can prevent the vast majority of mining attacks by blocking exploitation attempts of your systems – even if they are not fully patched.

At Check Point we’ve enhanced our market leading IPS with specific crypto-mining protections. These protections give full coverage across all the prevailing techniques which mining attacks use to penetrate servers and systems.

We’ve also added dedicated IPS protections to protect users, by blocking web pages which contain mining javascript.

3. Use advanced zero-day protections

A recent study conducted by Check Point uncovered a single threat actor who earned $3M from mining Monero. These lucrative windfalls drive mining attackers to utilize sophisticated evasion techniques. Indeed, we see a clear trend of these attacks becoming more evasive and harder to detect and prevent using conventional protections.

The strongest prevention relies on technologies such as sandboxing, which do not require signatures and can identify any unknown and zero-day malware – including evasive mining malware.

Zero-day prevention is a huge focus area for us at Check Point. We’ve built our SandBlast products suite in order to protect our customers from all forms of sophisticated and evasive malware. And we are very proud of SandBlast’s top security effectiveness score in the recent Breach Prevention System (BPS) test conducted by NSS Labs.

SandBlast combines a wide set of innovative technologies (sandbox, exploit detection, AI, file sanitization, anti-ransomware and many more), with a strong emphasis on evasion resistance, and with full coverage for all IT assets and all attack vectors. SandBlast has proven in the past months its ability to exclusively prevent numerous mining attacks targeting our customer’s networks. The number of evasive mining attacks exclusively blocked by SandBlast was doubled over the past month – a clear indication of criticality of advanced protections.

4. Protect your cloud assets

Mining attacks have a particular liking for taking over cloud servers.

The cloud’s auto-scaling capability fits perfectly with the miner’s endless thirst for CPU power. As a mining malware consumes all the available CPU power, the cloud platform will automatically spawn more instances, allowing the infection to gain huge scalability at the expense of its victim.

All the protections mentioned above are applicable for protecting your cloud environments. The Check Point solution in this space is CloudGuard, which implements all these protections on your cloud environment.

The cloud opens up an additional attack vectors – account takeover. The recent mining attack on Uber’s cloud servers was achieved using an account takeover. Check Point research data shows 54% of cloud breaches begin this way.

With account takeover, cloud accounts are penetrated by hackers who obtain or guess the account’s access credentials. Once an attacker has credentials to your cloud environment, it’s easy for them to infect the cloud instances with mining (or any other) malware.

We’ve recently introduced a unique protection, built specifically for protecting cloud assets from account takeover. This new protection is part of our CloudGuard offering, covering both IaaS and SaaS environments. It prevents hackers from accessing cloud environments even if they obtain access credentials.

Maybe You’re Already Infected?

Has your organization already been victimized by crypto-miners?

How can you know? And what can you do about it?

The difficult solution: Monitor CPU usage

One way to try and understand if you’ve been hit is to look for abnormal usage patterns while monitoring the CPU usage on your servers and endpoints across your organization. If you see sustained CPU spikes where you do not expect them, then it could indicate mining malware is in play exploiting one of your systems, and you’ll need to investigate.

Obviously this approach is not very practical as it is complex, time consuming, and does not scale efficiently.

The recommended solution: Use Anti-Bot

Like all malware, crypto-mining requires a channel of command-and-control (CnC) communications in order to operate. In the mining world, CnC communications are used to maintain the mining software’s synchronization with the blockchain, thus keeping the attack active.

Cryptomining CnC traffic can be detected and blocked. Blocking it will stop the attack, while the detection log can alert the organization that there is an infection that requires handling.

Our threat prevention product suite includes Anti-Bot technology. Anti-Bot detects and blocks CnC communications of all infections, including mining malware. By blocking the communication, the mining malware is forced to halt its mining activity, forcing it into a dormant state. The detection log is a clear indication of an infected host.

With the recent surge of mining attacks, Check Point researchers have moved to monitor them very closely, analyzing and mapping the numerous CnC domains and communication patters. The resulting intelligence is fed in real-time to Anti-Bot, giving us excellent coverage in post-infection detection and containment of hosts infected with cryptojacking malware.

Our SandBlast technology can take Anti-Bot detections one step further. Our advanced endpoint protection – SandBlast Agent, offers a completely automated remediation and a forensic root-cause analysis of the infection.

SandBlast forensic analysis of Graftor adware running mining activity

CONCLUSION

Driven by the booming cryptocurrency values and the subsequent financial rewards to coin miners, crypto-mining attacks have reached epidemic proportions and are now targeting organizations across the globe.

The outstanding volume and prevalence of these cryptojacking attacks means that they can no longer be ignored. As we have shown, they can inflict substantial damage on any business.

The good news is that organizations can effectively prevent these attacks by implementing advanced protections across their network. These are the same protections you should be using anyway in order to combat all forms of cyberwarfare.

Check Point’s SandBlast delivers a total solution for preventing all advanced threats, by providing coverage for all attack vectors across all IT elements – network, cloud, endpoint and mobile. Following the recent surge in mining attacks, we’ve made sure that our SandBlast solution effectively prevents also these attacks.